Presenters
Source
Unlocking Enterprise AI: How Keycloak and ID Jot Streamline Authorization ๐
In today’s increasingly complex digital landscape, enterprises are leveraging AI agents to automate tasks and interact with a multitude of tools. But how do we ensure these agents have secure and efficient access to the resources they need, especially within the strict confines of an enterprise environment? Yutaka Obuchi, a dedicated Keycloak contributor and software engineer at Hitachi, dives deep into this critical question, exploring the challenges and presenting an elegant solution using Keycloak and the emerging ID Jot standard.
The Rise of Agent AI and the MCP Challenge ๐ค
Imagine an AI agent acting on behalf of a user, seamlessly interacting with various tools and applications. This is the promise of Agent AI. However, as the number of tools grows, the Agent AI faces a significant hurdle: it needs to understand and communicate with each tool individually, often using different protocols. This doesn’t scale well.
This is where the MCP (Message Communication Protocol) comes in. MCP acts as a universal translator, allowing Agent AI to communicate with all tools using a single, standardized language.
OAuth 2.0 and MCP: A Powerful Partnership ๐ค
To understand the authorization flow, let’s map MCP to OAuth 2.0 terms:
- Resource Owner: The User ๐ค
- Client Application: Agent AI ๐ค
- Resource Server: Each Tool ๐ ๏ธ
- Authorization Server: MCP Server ๐ก
This forms the foundation for securing access within this ecosystem.
Enterprise Use Cases: The Identity Provider Dilemma ๐ข
In an enterprise setting, a centralized Identity Provider (IDP) is crucial for managing user identities and controlling access to applications. When Agent AI and MCP are introduced, they typically integrate with this existing IDP.
Here’s the standard (and often complex) flow:
- User Authentication with OIDC: The Agent AI initiates an authorization request to the IDP. The IDP handles user authentication and consent, then returns an authorization response, granting the Agent AI an access token and ID token. This effectively logs the user into the Agent AI application.
- Authorization for MCP Resources: The Agent AI then requests access to
MCP resources from the MCP authorization server, using the access token
obtained earlier.
- The MCP authorization server, in turn, delegates authorization to the IDP. This is known as identity brokering.
- The IDP authenticates the user (seamlessly due to SSO) and returns an authorization response to the MCP authorization server.
- The MCP authorization server then obtains tokens from the IDP, checks them, gains consent, and finally sends an authorization response back to the Agent AI, granting it an access token to connect to the resource server.
This process needs to be repeated for each MCP server the Agent AI needs to access.
The Pain Points of the Standard Flow ๐
This seemingly standard flow introduces significant challenges in an enterprise:
- Lack of Enterprise Visibility and Control ๐๏ธโ๐จ๏ธ: The IDP only knows about identity brokering. It has no visibility into which specific MCP servers the Agent AI is accessing. This makes it incredibly difficult for enterprise administrators to monitor and control resource access across the organization.
- Excessive User Interaction ๐ซ: For each new MCP server, the user is bombarded with prompts and consent screens. As the number of resources grows, this becomes a significant burden, making it hard for users to provide accurate responses and leading to a poor user experience.
The Solution: Enterprise Managed Authorization with ID Jot โจ
To address these pain points, a proposed solution has emerged: Enterprise Managed Authorization within the MCP community, based on the Identity Assertion JWT Authorization Grant (ID Jot).
ID Jot, as described in IETF internet drafts, allows an Agent AI (acting as an MCP client) to obtain an access token from an MCP authorization server by presenting an identity assertion it previously obtained from the enterprise IDP during single sign-on.
ID Jot is comprised of two key parts:
- Assertion Issuance: Based on RFC 8693 (Token Exchange), this defines how an enterprise IDP issues an assertion to the MCP client.
- Assertion Consumption: Based on RFC 7523 (JWT Authorization Grant), this describes how the MCP client sends this assertion as a token request to the MCP authorization server.
How ID Jot Solves the Problems ๐ก
Let’s look at the ID Jot flow:
- User Authentication with OIDC: This part remains similar to the standard flow.
- Authorization with ID Jot:
- The Agent AI uses a token exchange request with the ID token received in the previous step to obtain an ID Jot assertion from the IDP.
- Crucially, this token exchange request provides the IDP with information about which resource server the Agent AI intends to access.
- The Agent AI then sends this ID Jot assertion to the MCP authorization server to obtain the necessary access token.
This elegantly solves the enterprise challenges:
- Enhanced Enterprise Visibility and Control ๐ฏ: By including the target resource server in the token exchange, the IDP gains visibility into resource access. Enterprise administrators can now effectively monitor and control which MCP servers Agent AI can access.
- Reduced User Interaction ๐: The entire process of obtaining the assertion and then the access token is handled by the Agent AI. This means no further user interaction is required, regardless of how many MCP servers are added, significantly improving the user experience.
The Status of ID Jot Implementation in Keycloak ๐
So, where does Keycloak stand with these advancements?
- Assertion Issuance (Token Exchange - RFC 8693): Keycloak already supports token exchange, which is fundamental for issuing assertions.
- Assertion Consumption (JWT Authorization Grant - RFC 7523): This is implemented and available as a preview in Keycloak.
- ID Jot (Combined Issuance & Consumption):
- For the assertion issuance part of ID Jot, support is not yet available.
- For the assertion consumption part, a pull request (PR #4608) is currently under review, with ongoing discussions.
A Real-World Demonstration: Keycloak and Okta Integrate ๐ฌ
To showcase the practical application of ID Jot, a demonstration was presented, integrating Keycloak with Okta.
- Scenario: An MCP client obtains an ID Jot assertion from Okta (acting as the IDP) and then uses this assertion to get an access token from Keycloak (acting as the MCP authorization server).
- Actors:
- IDP: Okta’s trial environment ๐
- MCP Client: A Node.js web application ๐ป
- MCP Authorization Server: Keycloak (a Node.js web application in the original sample) ๐ ๏ธ
The demonstration walked through:
- Initializing the MCP client and attempting to access resources.
- Connecting to Okta for authentication.
- Observing the backend processes where the MCP client exchanges tokens with Okta for the ID Jot assertion and then requests an access token from Keycloak.
- Examining the ID Jot assertion and the resulting access token using tools
like
jwt.io, confirming theiss(issuer) as Okta,aud(audience) as Keycloak, and the subject being the user ID. The access token’s issuer was Keycloak, and its audience was configured via a wizard mapper.
This demo highlighted the realistic integration of Keycloak with Okta for enterprise-grade authorization.
Key Takeaways for Enterprise Authorization ๐ก
To wrap up, two crucial points emerge:
- ID Jot is a Game-Changer: The Identity Assertion JWT Authorization Grant is a vital OAuth 2.0 extension designed to solve the complex authorization challenges faced by Agent AI in enterprise environments. It empowers centralized IDPs to manage identities and application access more effectively.
- Keycloak is Ready to Go: Keycloak’s existing capabilities, coupled with ongoing development for ID Jot, position it as a powerful solution for implementing enterprise-managed authorization. The ability for Keycloak’s token endpoint to receive ID Jot assertions and issue access tokens, with some customization and ongoing PRs, is a significant step forward.
The journey towards seamless and secure AI agent authorization in enterprises is well underway, and Keycloak, with the support of standards like ID Jot, is leading the charge.